[Title was "Two- Factor Authentication at Vanguard - Update". Several threads are merged into here.
Use this thread to discuss Vanguard's implementation of two-factor authentication. --admin LadyGeek]

Am not currently using the 2FA. Should probably start. So ... does the code get sent from VG every single time you want to log-in? I download all my transactions and balances every day in Quicken and dread the inconvenience of going through the text message process everyday. Of course, I dread the inconvenience of being wiped out more.

Thanks for the advice!

Last edited by retire57 on Thu Mar 01, 2018 12:13 pm, edited 1 time in total.

You can choose 2FA every time you log in or only when you log in from a new device.

I chose the “new device” only. It must leave a tracking cookie or something. First time I logged in from my home desktop (Win10) it sent a code to my phone. Then when I first logged in from my tablet (iPad). After the first instance, no 2FA.

[edit] At the time, it seemed like a middle path between irresponsibility and paranoia.

Last edited by David Jay on Sat Feb 24, 2018 7:47 pm, edited 1 time in total.

Prediction is very difficult, especially about the future - Niels Bohr | To get the "risk premium", you really do have to take the risk - nisiprius

With Personal Capital entering the security code once was enough and I haven't needed a code for subsequent refreshes, but with Mint I get prompted each time, and the data for my Vanguard account is not refreshed until I enter the code. Since Mint and Quicken are both owned by Intuit, I suspect they use the same technology, so you may have to get and enter a new security code every time.

You can choose 2FA every time you log in or only when you log in from a new device.

I chose the “new device” only. It must leave a tracking cookie or something. First time I logged in from my home desktop (Win10) it sent a code to my phone. Then when I first logged in from my tablet (iPad). After the first instance, no 2FA.

Good to know this. Thanks.

I'm amazed at the wealth of Knowledge others gather, and share over a lifetime of learning. The mind is truly unique. It's nice when we use it!

Am not currently using the 2FA. Should probably start. So ... does the code get sent from VG every single time you want to log-in? I download all my transactions and balances every day in Quicken and dread the inconvenience of going through the text message process everyday. Of course, I dread the inconvenience of being wiped out more.

Thanks for the advice!

Download via Quicken doesn't require 2FA, only when you log in to the website.

Just an update with some, perhaps, helpful info. Today was the first day I had transactions to download to Quicken from Vanguard since enrolling in the 2-factor authentication. The transactions would not update in Quicken.

Next I logged onto my Vanguard account on my PC and tried the update again and ... it worked.

In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.

Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account. At the same time, carriers have been among the slowest to adopt two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks controlling the bulk of the market, there’s been little incentive to compete on security.

I am not personally a fan of Vanguard's 2FA offerings. Its understandably designed for availability over security (take note those studying for infosec certs), which means its designed with the assumption that its users will lose access and offers multiple workarounds. Even if you use the Yubikey option, it still allows account recovery via alternate means, which nullifies such a device. Not to mention Vanguard doesn't really offer the most robust password options.

Through Vanguard's own help guides and warning screens I can safely conclude they recognize 'authorized' devices via browser user-agent strings as well as both browser and local cookie storage (OS ident). Thus if I really wanted to step up my 2FA and protect my account assets, I personally would create a custom system image using a unique/non-common OS and browser combo and save it off as either a CD or virtual image. Then I would change Vanguard's computer access restrictions to "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts." which according to Vanguard can only be bypassed by an authorized device (the system image created) and no other means, which means if you lost access you would have to go through their customer service. Every time I wanted to access Vanguard however, I would need to either boot from that CD and or load up that VM.

It still offers one workaround (customer service), however is much more secure then their Yubikey option if only by lowering the number of available options for account recovery.

Sounds complicated, but really only takes an extra 30 seconds of work, for example I've been browsing the internet and discussion forums such as these through isolated VMs for years... One of the reasons I seldom have excessive security programs on my host machines.

Anyway thats how I'd approach Vanguard's access options given their current offerings.

In the end, doesn't it depend upon how strict and how through the customer service is in preventing the social engineering hacks? do they ask the questions which only an Equifax hacker would have answers to?

Seriously, once you reach customer service, most financial institutions seem to be quite eager to bail out the customer who claims to have lost the device or forgot the password.

I'm already using 2F for a lot of things. I haven't set it up for VG yet but expect to do so soon, even if the boost in security is marginal.

I have been a bit worried about VG security for a while, and was waiting to see what the bugs were with their 2F before activating--they aren't known for excellent web site management, from what I've seen. For those unfamiliar with 2F or without devices it may be easier to use a good pw management system and update regularly. But the 2nd step authentication is a given nowadays.

With DST coming up, one tip is to change your passwords along with the batteries in your alarms, etc. I used to do this once a year but that's not enough. 3rd party password managers are supposed to be best, but Apple has a good built-in one.

Vanguard also offers a voice verification option, whereby they record your voice on the phone to help verify it's you when you call back next time. This would probably make social engineering attacks on customer service reps less likely; it's one thing to claim to have forgotten your password, it's another to say your voice has changed. While one could always claim to have a cold, I would hope that failing the voice verification would trigger a lot more scrutiny about a caller.

I wish they had an in-between option for when to invoke 2FA. I don't really want to go through it for every logon, but would appreciate some extra security for any time I initiate a buy/sell/transfer transaction or any time I make a change to the account.

Like others, I'd also like to see a TOTP token rather than SMS as the second factor.

FWIW, I've been using 2FA authorization on my Vanguard account since it was offered and Quicken desktop has no problems with it. I can't remember what I did the first time I downloaded after I set it up, I do remember that I had to do something different. Since then, its been fine.

I turned on the two-factor identification for Vanguard ...and then turned it back off a few weeks later, after getting frustrated by the fact that it required me to do the text message identification every time I logged into Mint on my phone. At some point I may turn it back on, but I wish they would make it smarter. Surely there is a way to track individual device log-ins, even if you are logging in from a phone and not a computer?

Both Vanguard (Outside Investments) and Fidelity offer aggregation, which is provided by Yodlee in both cases. Two-factor authentication is a new "challenge."

I strongly prefer using the Fidelity aggregation because it is more comprehensive and reliable then Vanguard's aggregation. While Fidelity is apparently working on an API (application programming interface) that will permit Vanguard to "scrape" Fidelity accounts (Fidelity Access), the "experts" at Vanguard appear to have no idea of what is happening, and have no answer to if and when Vanguard will develop the necessary "fix" so that Vanguard accounts can be aggregated by others.

Does anyone have any Information that Vanguard is addressing this problem or is even aware of it?

Poor web site services appears to be a tradition at Vanguard-See my two other posts on this site from about 10 years ago.

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.

Vanguard already supports hardware token based auth and U2A I believe. No reason to prioritize a TOTP authenticator app on top of that which would be technically less secure. The real crux is Vanguard in the same breath also offers various different ways of account recovery along with said token. Still 2FA is better than no 2FA.

As I mentioned above several months ago you can harden your 2FA token with the nuclear option of selecting under Vanguard security settings "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts." which would limit you to customer service should you lose access. At that point the only main weakness left is phishing, however 2FA can't fix that.

Attackers go the path of least resistance and are only as smart as they need to be. 9 out of 10 times when faced with a secure system the last and easiest thing to hack is the human on the other side of the screen/phone.

Since Mint and Quicken are both owned by Intuit, I suspect they use the same technology, so you may have to get and enter a new security code every time.

This has not been the case for a little over two years. Mint is owned by Intuit, while Quicken is owned by Quicken, Inc., a wholly-owned subsidiary of H.I.G. Capital. That said, you may be correct about them using the same 2FA solution.

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.

Vanguard already supports hardware token based auth and U2A I believe. No reason to prioritize a TOTP authenticator app on top of that which would be technically less secure. The real crux is Vanguard in the same breath also offers various different ways of account recovery along with said token. Still 2FA is better than no 2FA.

I mean, the reason to permit authenticator apps is that they're more secure than SMS and people are more likely to use them than tokens.

As to Quicken, I have both fidelity and vanguard, and I have 2 factor on both, and my quicken updates fine. It seems as if they have given them a backdoor (perhaps read only?) access that bypasses 2FA.

I'm an old school internet user. My Internet Explorer and Chrome browsers delete all cookies when I close them. Consequently, when I log on to my Vanguard account, I am prompted to receive a one time code via email, text, or voice message since my computer was not recognized. I always choose to receive the code via a telephone call on my land line. It's a minor inconvenience I am willing deal with.

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.

Vanguard already supports hardware token based auth and U2A I believe. No reason to prioritize a TOTP authenticator app on top of that which would be technically less secure. The real crux is Vanguard in the same breath also offers various different ways of account recovery along with said token. Still 2FA is better than no 2FA.

As I mentioned above several months ago you can harden your 2FA token with the nuclear option of selecting under Vanguard security settings "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts." which would limit you to customer service should you lose access. At that point the only main weakness left is phishing, however 2FA can't fix that.

Attackers go the path of least resistance and are only as smart as they need to be. 9 out of 10 times when faced with a secure system the last and easiest thing to hack is the human on the other side of the screen/phone.

Even with phishing, 2FA wouldn't work unless they actually remotely use your computer to access to vanguard right after you authorize the computer.
You mentioned VG already supports token based auth and U2A. I would still feel more confident in using authenticator app since the generator key cannot be replicated or reused since it's not stored anywhere. That feels a lot more secure than a keychain generating numbers somewhere or however the token based or u2A works.

Some people think fingerprint is secure way to login to website, but most fingerprint softwares store the passwords in unencrypted (but lightly secured) files and all FP reader does is just type the password for you, since the websites don't authenticate your fingerprints.

For most people, who aren't doing active trading, more cumbersome but secure login is always welcome. For day-trades, anyone can use any app, and just keep vg for long term investments, in those cases it's Ok to go through few add'l steps to access your funds. We cannot always secure ourselves with so much going on, especially apps on phones, so the financial institutions must watch out for their clients. Limiting or preventing access from unrecognized devices or new location or requesting more information after 2-3 wrong password attempts are always great ways to help clients.

You mentioned VG already supports token based auth and U2A. I would still feel more confident in using authenticator app since the generator key cannot be replicated or reused since it's not stored anywhere. That feels a lot more secure than a keychain generating numbers somewhere or however the token based or u2A works.

Re-reading my initial response I meant to type Universal 2nd Factor (U2F) not U2A (Whoops). U2F is technically the solution/successor to TOTP authentication apps, the reason being the authentication applications have already been beaten. Not in theory or a white paper but in active campaigns that utilize time-of-use phishing attacks (A one-time-password is still a password, and it can be disclosed to an attacker).

In the case of U2F, the device creates a public/private key pair for each site and burns the site's identity into the "Key Handle" that the site is supposed to use to request authentication. Then, that site identity is verified by the browser each time before any authentication is attempted. The site identity can even be tied to a specific TLS public key. Since it's a challenge-response protocol, replay is not possible either. Last if the server accidentally leaks your "Key Handle" in a breach, it still doesn't affect your security or reveal your identity.

Not saying U2F is a perfect solution, but its a step in the right direction compared to two factor of old (SecurID, Google Authenticator, email, phone, and SMS loops).

Re-reading my initial response I meant to type Universal 2nd Factor (U2F) not U2A (Whoops). U2F is technically the solution/successor to TOTP authentication apps, the reason being the authentication applications have already been beaten. Not in theory or a white paper but in active campaigns that utilize time-of-use phishing attacks (A one-time-password is still a password, and it can be disclosed to an attacker).

I would love to see a link to an article reporting on how authentication apps have been beaten in the real world.

Phishing is one of the most common techniques hackers use to gain access to your account or personal information. For example, phishing emails or fake sign-in pages could trick you into revealing critical information, like your password.

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.

Phishing is one of the most common techniques hackers use to gain access to your account or personal information. For example, phishing emails or fake sign-in pages could trick you into revealing critical information, like your password.

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.

To provide important context to your Google quote from that same page regarding their GA app:

Advanced Protection Program
GET STARTED
Google’s strongest security for those who need it most
The Advanced Protection Program safeguards the personal Google Accounts of those most at risk of targeted attacks—like journalists, activists, business leaders, and political campaign teams.

Thanks for the clarification and further solidifying my original point with TOTP apps. That security token "For those who need it most" Vanguard supports today for us lesser people as well . if they would just omit the various fall back system, they would have proper 2FA.

Still as I also mentioned above just enabling 2FA is better than no 2FA.

Just got a notification that Vanguard is implementing mandatory 2 factor authentication procedures. I've worked in IT security and absolutely hate this feature. It's an overly burdensome solution to a problem easily mitigated with sufficiently-designed password parameters (read >12 characters with complexity requirements).

It also plays havoc on anyone with Mint or Quicken tracking software. Unlike most Bogleheads who look at their balance once a year, I actually do daily monitoring. Not to make changes or react, but just to monitor for unauthorized transactions or errors (across all financial accounts, not just retirement).

Sad to say, but will probably be transferring everything to Fidelity. This isn't the only reason to make the switch, just the straw that broke the camel's back.

Hate to say it but I think Fidelity will require it at some point too. It is the way the industry is going and their priority should be the safety of your account. It may impact some people but it will make everyone's account much more secure.

It's your prerogative, but I've had 2FA on my Vanguard account from day one and I've never had issues with Mint-syncing.

(Strangely, there is always a message on the bottom of our Mint homepage that SAYS there's an issue with Vanguard but the balance and transaction data is always updated. I think that's actually more of a Mint issue.)

Might be annoying, but vanguard is doing the right thing. I think in a few years you’re going to see more and more companies begin forcing people to implement the steps. Fortunately, Apple, and Microsoft are already trying to ease the burden by automatically capturing the 2FA code, once it’s received, and automatically placing it into the necessary request area. It’s already implemented on iOS 12, which I’m currently beta testing.

I prefer Treasury Direct’s authentication method: they send you a one-time passcode via email. But Vanguard’s authentication method isn’t too bad. They offer you a choice: you can have them require authentication every time you login to your account, or just when you’re logging in from a different computer. I chose the latter. I’ve logged in many times since then without having to authenticate again, because I’m using the same computer.

I prefer this. What I don't like about it is it only uses phone authentication, so the phone rings in the middle of the night. Then you have to listen to Miss Lisp for awhile, because the system isn't smart enough to recognize type-in early on in the process, unlike any place else I know of.